On Tue, 27 Oct 2020 22:36:38 +0100 Pierre Emeriaud <petrus.lt+open...@gmail.com> wrote:
> Howdy misc@, > > I have a fairly complicated setup with lots of interfaces, a couple of > rdomains etc. > > I'd like wireguard to listen only on an IP address, not all. But if my > understanding of ifconfig(8) is correct, this doesn't seem possible > currently: > > wgport port > Set the UDP port that the tunnel operates on. _The > interface will bind to INADDR_ANY and IN6ADDR_ANY_INIT._ > > I guess this the reason for the following behaviour? > > $ doas ifconfig wg0 wgport 53 > ifconfig: SIOCSWG: Address already in use > (the error message is generic I guess - but confusing imho) > > $ netstat -natfinet | grep 53 > tcp 0 0 127.0.0.1.53 *.* > LISTEN udp 0 0 127.0.0.1.53 *.* > > $ netstat -T1 -natfinet | grep 53 > udp 0 0 127.0.0.1.53 *.* > > Is there a way to circumvent this restriction? (is there a reason > behind it maybe?) A lot has been said already, however I should clarify things. wg(4)'s primary goal is to provide a secure network tunnel. We have no desire to obfuscating or manipulating traffic to bypass restrictive firewalls, which appears to be what you want to use port 53 for. Why INADDR_ANY (and IN6ADDR_ANY_INIT)? We listen on all interfaces to discard any notion of trusting IP addresses and rely entirely on the crypto to authenticate packets. This ties directly the "roaming" feature of WireGuard [1]. As Theo mentioned we don't want to monitor for addressing changes, so INADDR_ANY is correct. Why no configuration knob for bind address? Well, this is a "simple" VPN and prides itself on minimising unnecessary configuration while still achieving it's primary goals. Allowing configuration of the bind address opens a whole can of complexity worms, including configuration failure modes and security issues that we don't have consensus on. The behaviour exhibited on wg(4) is also consistent with implementations of WireGuard on other platforms. This has been discussed before: [2][3]. Finally, if you want to continue using port 53, bind wg first, then unwind. Alternatively rdr-to rules will work and I'm guessing your didn't do any debugging to figure out why your rules weren't working as expected. If your goal is to bypass restrictive firewalls, you may also want to add ports 123, 4500, 5060 to your redirect rules, but keep in mind you're abusing software in ways it wasn't designed for so support is minimal. I imagine it would look something like the following (with wg(4) listening on port 53535 on the same rdomain): pass in on $wan proto udp to (self) \ port { 53, 123, 4500, 5060 } rdr-to 127.0.0.1 port 53535 Cheers, Matt [1] https://www.wireguard.com/#built-in-roaming [2] https://lists.zx2c4.com/pipermail/wireguard/2017-May/001280.html [3] https://lists.zx2c4.com/pipermail/wireguard/2018-June/003013.html